1. A Cloud-Oriented Cross-Domain Security Architecture 단국대학교 컴퓨터 보안 및 OS 연구실 peonix120@gmail.com 임경환 2015. 04. 16 Thuy D. NguyenMark A. Gondree The 2010 Military Communications Conference

2. Computer Security & OS Lab. ContentsContents 2  INTRODUCTION  OVERALL ARCHITECTURE  Security Features  Security policy  Conclusion  Reference  Q & A

3. Computer Security & OS Lab. INTRODUCTIONINTRODUCTION 3  Extended version of MYSEA(Monterey Security Architecture) This is designed to address the inefficient exchange of information in military “silo” environment. Supporting a cloud of cross-domain service.

4. Computer Security & OS Lab. INTRODUCTIONINTRODUCTION 4  Multilevel secure(MLS) system Manages information of different security and enforces a mandatory security policy to control both information access and information flow.  MLS policy enforcement mechanism Access to information in an MLS system is governed by the classification level of the information, the security clearance of the requester and whether the requester has a need to access the information.  Need-to-know

5. Computer Security & OS Lab. OVERALL ARCHITECTURE 5

6. Computer Security & OS Lab. OVERALL ARCHITECTURE 6  MYSEA Cloud Servers Federated Services Manager user sessions, service availability Authentication Server I & A supporting policy Dynamic Security Service Manager service management mechanism Application Server web browsing, wkiki, email, … service

7. Computer Security & OS Lab. OVERALL ARCHITECTURE 7  Special Purpose Trustworthy Components Trusted Path Extension(TPE) acts as a gate keeper between the workstation and the MYSEA cloud. Trusted Channerl Module(TCM) serves as a multiplexer that labels incoming network traffic from single-level service.

8. Computer Security & OS Lab. Security Features 8  Secure connections to classified network  Centralized security management  Use of adaptive security techniques to provide dynamic security services  High assurance trusted path and trusted channel techniques for managing access to the MLS cloud

9. Computer Security & OS Lab. SECURITY POLICIES 9  MYSEA controls access to resources using both mandatory access control and discretionary access control. lattice-based confidentiality Bell and L. LaPadula, Biba  Identification and Authentication( I & A), Audit. I & A, the MYSEA Server ensures that users are afforded a trusted communication path between the user and the MYSEA Server, and that the user’s claimed identity and authentication credentials are validated before a user session is established. Audit, the MYSEA Server accounts for all users actions, either taken directly by the user (e.g., trusted path invocation) or by software acting on the user’s behalf (e.g., a web server process).

10. Computer Security & OS Lab. Dynamic Security Service 10  The DSS design follows the standard policy management paradigm policy input point (PIP) policy repository policy decision point(PDP) policy enforcement point(PEP)

11. Computer Security & OS Lab. ConclusionsConclusions 11  Cloud computing promotes agility, scalability, collaboration, and sharing of resources across domains/organizations but inherits the same security risks  MYSEA integrates support for cloud computing functionality with the strong security properties.  MYSEA’s security features include strong cross-domain access controls, protection of system assets with different security classification.

12. Computer Security & OS Lab. ReferenceReference 12 [1] CNSS Instruction No. 4009, “National information assurance (IA) glossary,” Committee on National Security Systems, Revised June 2006. [2] M. Bailey, “The unified cross domain management office: bridging security domains and cultures,” CrossTalk magazine, vol. 21, no. 7, pp. 21–23, July 2007. [3] D. E. Bell and L. LaPadula, “Secure computer system: unified exposition and Multics interpretation,” Technical Report ESD-TR-75- 306, The MITRE Corporation, Hanscom AFB, MA, 1975. [4] K. J. Biba, “Integrity considerations for secure computer systems,” Tech. Report ESD-TR-76-372, The MITRE Corporation, 1977.

13. 감사합니다.